Scastie: use any Scala compiler and Scala library in the browser

atemerev 9 years ago |

(naturally, the very first thing I tried to evaluate is scala.io.Source.fromFile("/etc/passwd").getLines.mkString("\n") . Spoiler alert: it works!)

masgui 9 years ago | |

It does and you are root. You are evaluating inside a docker container. It's not a bulletproof method but it will stop a few. The instances evaluating your code is also on a network not accessible from the internet. I'm not an expert in security, if you have any advice on how we can improve our defence please tell us.

atemerev 9 years ago | | |

I am not a pentesting expert. My first reaction is to leave everything as is, as it is a very cool to play with root access to docker containers (I managed to reboot one, but a new one immediately appeared on page reload).

My worst concern now would be network security. With root access, it is trivial to e.g. install spambots in all your containers (just checked, command execution works, and external network access is enabled). I think it is a good idea to at least disable networking. (Update: and use a minimal Docker image like Alpine Linux).

Proof:

[__REDACTED__]

opportune 9 years ago | | |

I agree with this. What's to stop me from opening a bunch of the containers and using them to DDOS someone or to send out spam emails? I'm already playing around with system commands and they seem to be entirely unrestricted.

Basically I can run any bash script, as is, with

    import sys.process._
    "BASH_COMMAND" !!

And I seem to be able to at least cause the containers to endlessly restart quite simply.

masgui 9 years ago | | |

Yeah disabling networking was an idea. I prefer to leave it open so you can try http client/libraries that access the web. To limit spam, if it becomes an issue we could throttle the connection.

clhodapp 9 years ago | | |

The general rule is that you want as many layers of security as you can get away with without making things impractically inconvenient. In this case, the first step is probably not letting the user's code run as root in the container. Gaining container-root is going to be the first step in many, many exploits and by letting code just run that way, you are giving a potential attacker that step for free.

Disclaimer: Absolutely not a security expert, just someone who is somewhat on the hook for security!

wsargent 9 years ago | | |

I put together a list of security tips:

https://github.com/wsargent/docker-cheat-sheet#security-tips

Probably the biggest one is to use Virtualbox or another virtual machine so that Docker isn't your only line of defence.

tutanchamun 9 years ago | | |

> I put together a list of security tips: [...]

and 63 contributors. ;p

wsargent 9 years ago | | |

Check the blame log. That section's all me.

tutanchamun 9 years ago | | |

https://github.com/wsargent/docker-cheat-sheet/pull/91

Please don't misunderstand this. I know from reading your postings on /r/scala that you are a humble person. Originally I actually didn't even knew if there was a contributor to the security section besides you and only wanted to tease. :D

ronjouch 9 years ago | | |

Thumbs up for the honest upfront response!

Maybe Jessica McKellar's "Building and Breaking a Python Sandbox" talk can bring some ideas. (But maybe not! It might be too Python-specific or too language-level whereas you want to remain at a higher level with just Docker)

Video: https://www.youtube.com/watch?v=sL_syMmRkoU

Slides: https://speakerdeck.com/pycon2014/building-and-breaking-a-py...

eranation 9 years ago | | |

Congrats Guillaume! How much of ScalaKata code is in there? Sorry if I missed it in the post, but is Scastie open source? I'd love to finally fix scalatutorials.com :) p.s. did you guys consider using a "serverless" architecture to isolate runners instead of docker? Also, are you running it with java -Djava.security.manager? If not then why?

masgui 9 years ago | | |

The security manager can be disabled using reflection. If you don't allow you loose some libraries like Akka. The main thing that is missing from ScalaKata is autocompletion and it will be implemented in the summer during the GSOC. AWS lambda could be worth investigating. We don't expose an API for evaluating but others have expressed this need. Can you create an issue on GitHub for that?

wsargent 9 years ago | | |

You can use an agent to disable the security manager disabling. :-)

https://tersesystems.com/2016/01/19/redefining-java-dot-lang...

eranation 9 years ago | | |

Gladly, sorry for the silly question, but on which repo? Scala Lang main website? Scalakata?

masgui 9 years ago | | |

This is the main repo: https://github.com/scalacenter/scastie. It's not at silly question at all.

j_s 9 years ago | | |

I recommend to at least wrap all the containers in a VM between the docker containers and your server-side orchestration code.

SELinux also helps, from what I've read.

https://news.ycombinator.com/item?id=14245428

monksy 9 years ago | |

/etc/shadow works as well :S But there are not encrypted bits in it.

atemerev 9 years ago |

Hi Heather!

Looks like you've got a Hacker News effect on your shoulders. :) Servers seem to be overloaded.

TeMPOraL 9 years ago | |

Nah, that's probably just Hacker Effect of people rebooting the container ;).

masgui 9 years ago | |

Working for me (TM).

drewda 9 years ago |

Seems like the Scala and SBT equivalent of https://npm.runkit.com/ (which allows in-browser use of Node and NPM packages)

mark_l_watson 9 years ago |

This looks cool, I just experimented with it. I am curious: what is the business model for this? Server costs are probably fairly expensive.

masgui 9 years ago | |

We are the [Scala Center](https://scala.epfl.ch). We are a non-profit organization. Our revenue is from donations. This service will be forever free.

stephen123 9 years ago |

Its great to see so much good stuff going on in Scala land!

wiradikusuma 9 years ago |

I'm a Scala developer but I don't understand what is Scastie. How does it benefit from the perspective of developers like me?

richardwhiuk 9 years ago | |

It's an interactive playground for Scala so you can share code and send it to other people.

https://scastie.scala-lang.org/

hayd 9 years ago |

Will this allow running a play app? (with debug etc) ??

masgui 9 years ago | |

Yes it can run anything sbt can.

https://scastie.scala-lang.org/MasseGuillaume/62vmEr9XR0qDWw...

freekh 9 years ago |

This looks so cool!!! Can't wait to try it out!

aghll0ihph2bbe8 9 years ago |

How am I supposed to dismiss this modal window? http://i.imgur.com/atx6KsX.png

masgui 9 years ago | |

hum this look like a but in safari https://github.com/scalacenter/scastie/issues/. You can visit this link: https://scastie.scala-lang.org/MasseGuillaume/kHn9lemPTayxoY... and it will clear the modal.